Thanks to partisan politics and intensive industry lobbying, we have no strong federal breach notification law. This, of course, is not news to my readers. But in light of (1) Congress’s current interest in cybersecurity and sharing of information, (2) the fact that up to 40% of breaches are first detected by members of the public, and (3) how damned difficult it can be to contact an organization to alert them that they’ve had a breach, I thought of proposing a bill. I don’t have a snappy acronym for it yet, which may doom it, but if you like the concept, perhaps you or the Twitterverse can up with one and help me flesh this out more.
So before I invest a lot of time in the language, here’s a brief outline of what the law might contain/say:
A BILL
To require any entity that collects, process, or stores personally identifiable information to provide prominently displayed contact information on their web site to be used for reporting a data security breach, security vulnerability, or privacy concern.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. NOTICES REGARDING CONTACT INFORMATION
(a) In General- Any entity that collects, processes, or stores personally identifiable information or sensitive personally identifiable information in any format for more than 50 U.S. citizens or residents shall display on the home page of their web site a notice providing a United States-based phone number with an e-mail address or link to an on-site contact form that can be used to report a security vulnerability, data security breach, or privacy concern involving the web site or entity’s database(s).
(b) Monitoring – The phone number, e-mail address, and contact form notification shall be monitored by the covered entity or its designated responsible party every day.
(c) Receipt of Notice – Covered entities or their representative will acknowledge receipt of the notification of a data security breach, possible vulnerability, or privacy breach within 24 hours of notice if the notifier provides an e-mail address or phone number.
SECTION 2. RESPONSE TO NOTIFICATION OF A DATA SECURITY BREACH
(a) In General – Covered entities shall initiate investigation of a report of a data security breach involving personally identifiable information or sensitive personally identifiable information within 24 hours of being notified.
(b) Mitigating Exposure – Covered entities shall take steps to prevent further exposure:
(i) In the event that that personally identifiable information or sensitive personally identifiable information has been exposed on the Internet, the entity shall promptly, but in no case later than 24 hours, attempt to have the data removed.
(ii) In the event that paper records with personally identifiable information or sensitive personally identifiable information have been improperly disposed of or found in public spaces, the entity shall, within 24 hours, arrange to recover possession of the records. The recovery of records shall be completed within 72 hours from time of initial notification.
SECTION 3. PROMOTING RESPONSIBLE DISCLOSURE
(a) In General – Any individual or organization that provides notification to a covered entity of a security vulnerability involving the covered entity’s web site or server(s) containing personally identifiable information or sensitive personally identifiable information shall be immune from civil or criminal action as long as:
(i) Notification is made to the covered entity and the entity is given an opportunity to secure its databases or server before the vulnerability is disclosed to others;
(ii) Personally identifiable information or sensitive personally identifiable information is not disclosed to others in unredacted form;
(iii) Personally identifiable information or sensitive personally identifiable information is securely deleted after acknowledgement of the vulnerability by the covered entity; and
(iv) Collection or download of personally identifiable information or sensitive personally identifiable information is kept to the minimum necessary for proof of vulnerability.
(b) Response to Notification – A covered entity shall respond to a notification of vulnerability within seven (7) days. The response:
(i) Shall include the covered entity’s findings with respect to the reported vulnerability, and
(ii) Steps the covered entity has taken or will take to address confirmed vulnerabilities.
Okay, that’s enough to show you where I’m going with this. Obviously, it would need sections on definitions and enforcement.
But what do you think so far? Is this a good idea to pursue, or is a bad idea?
And if you think it’s a good idea, what should we call this?
The Get Your Head Out of Your Ass, Please Act of 2013 ?
The Privacy and Security Notification Act of 2013 ?
The Wake Up and Smell the Data Leak Act of 2013?
Maybe if we throw in a “cyber” somewhere in the title…?
Have at it.
Update: This post and discussion on Slashdot last night is yet another demonstration of why we may need a federal law like this.
Maybe I should call it the “Help Me Help You Act” or the “Jerry MacGuire Act of 2013?”
Instead of 48 hours warning, make it 2 business days. This is because it is quite common for companies decision makers to become incommunicado, from their own employees, during weekends and holidays, where the people left behind are not authorized to respond to anything outside normal business activities.
Not all institutions have a public web site, especially smaller companies, whose sales are not to consumers, but within an industry. Most of those institutions have a payroll system, where they can easily have over 50 employees personal identification info at risk of breach.
Some institutions do not have a responsible person, as defined by this proposed law. They may have someone, who wears many hats, one of which is cyber security, perhaps once a month attend to that detail. They may rely upon outside consultants, not on call duty all the time, but only called when top management thinks there is a problem worthy of calling them.
Companies can setup e-mail systems, with various names of “responsible parties” in charge of various duties, which are forwarded to the current real people in those jobs, then with turn-over, and not much in the way of a computer department, those “responsible parties” e-mail addresses can become no-one home.
There needs to be an alternative way for institutions, without web sites, nor persons with cyber security responsibilities, to accept breach reports. I suggest: fax machine; snail mail address; company lawyer firm contact info; company auditors identified.
How can an institution have a breach if they do not have a web site? They can have computers connected to the Internet, via e-mail, FTP, VPN, WiFi, many other communication protocols. They can have dumpsters open to dumpster diving. They can have weaknesses in physical security. They can have auditors, or other 3rd party access to their data, which have break downs in security.
Many web sites are not intended to accept comments. Some government web sites are like that. They exist only to broadcast info to the public.